Assigning Read Access to Windows Private Key

I have written about authenticating with the Pure1 REST API, and my PowerShell module in the past:

One of the issues is that if you followed my default instructions, you would need to run the PowerShell window as an admin to be able to create the connection. The answer–now that I think about it is fairly obvious: non-admin users (or admins not running in admin mode) don’t have security rights to it. Duh!

The internal method used in the cmdlet is GetRSAPrivateKey:

You will see a cryptic error: “Exception calling “GetRSAPrivateKey” with “1” argument(s): “Invalid provider type specified.”

So a couple ways to fix this.


First in the GUI. Launch MMC, and add/remove snapin and choose certificates. Depending on where your cert is dictates which one you choose. My cert is stored in the personal folder on the local machine group:


You can see my cert here:

So right-click and choose Properties > Manage Private Keys…

Click Add then add the user you want to be able to access the private key.

It defaults to full control, but you do not need that, you can just give read access if you prefer:

Now you can run it without being in admin mode:


If you want to do this in PowerShell, it is fairly simple too. This part does need to be run as admin! But once done, the Pure1 module can be run as a regular user.

Grab your cert:

$CertObj = Get-ChildItem Cert:\LocalMachine\my\6D75482829CBDB7FCF8AADD193A71BB4299AC1BD

Then grab the permissions of the key:

$fileName = $rsaCert.key.UniqueName
$path = "$env:ALLUSERSPROFILE\Microsoft\Crypto\Keys\$fileName"
$permissions = Get-Acl -Path $path

Now create the permission. In this case the username is “cody” and I want to provide “read” permissions:

 $rule = new-object security.accesscontrol.filesystemaccessrule "cody", "read", allow

Now apply the new permission:

Set-Acl -Path $path -AclObject $permissions

All good now!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.